Security monitoring and response

Preparing for post-incident investigation activities is as crucial as responding to the event itself. Often the organization is faced with the decision to move forward with legal actions or cooperate with law enforcement agencies. With the goal of preserving the integrity of the evidence in its most original form, skilled practitioners must meticulously investigate, document, collect and examine the available information in accordance with strict procedures while leveraging specialized tools. Preparing for expert witness testimony also requires extensive preparation and understanding of the events surrounding the investigation.

RSM’s digital forensics team will help identify and preserve information that can be used in an investigation or later proceedings as well as conduct further analysis in support of the recovery of computer systems and networks. We’ll work with you on:

• Understanding proper investigative tools to digitally identify the fingerprints left behind by threat actors
• Working through the evidence collection, documentation and preservation process
• Preparing to function in the capacity of expert witness
• Briefing executive leadership and relevant third parties on the status of the investigation on behalf of the organization
• Properly collecting and maintaining forensics information for criminal, legal, or security matters in accordance with corporate policies on behalf of the organization
• Developing an internal digital forensics team with the right experience and knowledge to support the investigative process

When an intrusion is detected within your organization, it’s critical to contain and eradicate it immediately. While many monitoring and detection tools can help determine the attack chain, organizations often have questions in the aftermath of an incident the tool cannot answer satisfactorily. To help the organization feel confident they’ve put intrusions behind them and begin the recovery process, it’s necessary to involve individuals that specialize in handling compromised environments. Incident response teams typically comprise core members of the security and technology teams as well as specialized third-party skill sets available at a moment’s notice.

Determining the avenues and methods that led to the compromise requires preservation of critical information and vast knowledge of the adversary’s methods. The incident response team must work cautiously to avoid disturbing or destroying evidence and meticulously document each and every step taken in preparation for potential legal action. RSM’s incident response team will work with your organization to provide clarity around detected intrusions and advise you on a range of incident response activities with the goal of helping contain and prevent further harm. Our team will help with:

• Developing an incident response plan that considers the broader business team involvement
• Documenting response scenarios and runbooks to guide incident response team activities
• Providing guidance on communication and public relationship plans
• Developing and delivering tabletop exercises targeted at helping the parties involved understand their roles during an incident
• Gaining access to 24/7/365 incident response and investigation support
• Supporting the organization with expert witness testimony
• Identifying brokers to help assist you with decisions regarding ransom payment as well as facilitating the interactions

Your organization’s technology footprint generates millions—if not billions—of events, any one of which may disclose clues to a potential adversary in their attempts to compromise your environment. Continuous monitoring is necessary to help organizations sift through the noise and generate meaningful insights. When an incident is detected, the event should be prioritized based on criticality and risk to your organization, then appropriate notifications and escalations should be activated. Building the internal capabilities to operate a 24/7/365 security operations centre is time consuming and very costly. Organizations need to weigh the costs of building in-house capabilities against the benefits of working with third-party providers who benefit from economies of scale and can provide high value at an attractive cost point.

RSM Defence, our managed security operations centre (SOC), can function as your around-the-clock vigilant observer and react to threats in near real time. Our XDR platform and services cover your entire computing infrastructure, from ingesting telemetry from your PCs and mobile devices to monitoring your on-premises data centre and cloud computing environments. Our team will assist you with implementing your own capabilities as well as operating your internal monitoring platforms. We’ll work with you on:

• Identifying and classifying critical assets within your environment
• Defining an asset management program and assisting with deployment of asset management technologies
• Operating as your 24/7/365 security operations centre, delivering XDR, MDR and vulnerability services
• Assisting with security monitoring technologies selection, implementation and operation
• Conducting security engineering activities such as use case definition and tuning
• Navigating the decision to internally stand-up security operations capabilities or partner with managed security services providers
• Providing experienced security operations analysts to support your existing operations
• Assisting with the design, development and launch of your internal security operations centre capability

Organizations leverage a multitude of monitoring tools for operational and security purposes.  Investigating and responding to the volume of alerts generated in a timely manner is a daunting task for most security teams. The mean time to detect (MTTD) and respond (MTTR) to high-fidelity alerts is a critical component of successful security operations. Teams need a method to filter through large volumes of low-fidelity alerts quickly to reduce the MTTR while maintaining consistent triage activities. Through the use of orchestration and automation tools, analysts’ can increase productivity, allowing the team to quickly identify and respond to low-fidelity alerts with a predefined set of actions, reducing MTTD and MTTR, and refocusing efforts on tasks with greater value to the organization.

RSM’s monitoring and response specialists will help you determine how to effectively implement automation and orchestration capabilities within your environment. Our team will work with you in areas such as:

• Developing your organization’s strategy for leveraging security orchestration and automation
• Integrating automation and orchestration concepts into your security team’s daily operations
• Selecting and deploying security orchestration, automation and response (SOAR) tools that align with your needs
• Designing and building relevant automation use cases to drive response activities
• Determining the series of predefined actions to automate initial quarantine and triage efforts
• Operating and continually tuning your SOAR platforms

Automated detection tools inundate security operations teams with events. Sifting through the profusion of data to identity the most complicated and advanced threats is the job of an organization’s threat hunters. Programmatic tools only provide clues to the potential threat. The threat hunting team works constantly to neutralize adversaries prior to execution of an attack. They are the elite unit within the security program; key to their success is their ability to think like an attacker, understand the latest attack vectors and methods, leverage similar tools and techniques, then sift through all the noise with the primary goal of identifying the attack before it occurs.

RSM’s threat hunting team is continuously exercising in a constantly escalating game of cat-and-mouse with our world-class penetration team to refine their skill sets. Our team will work with you on:

• Implementing a robust cyber range to continuously enhance threat hunting capabilities
• Training and scenario-based exercises to help your team think like an adversary
• Educating your team on attack trends and modern attack methods
• Advising on the right threat hunting kit and approaches necessary to be effective
• Conducting threat modeling exercises resembling relevant real-world scenarios
• Developing techniques to sift through the noise and focus hunting efforts on highly advanced threats
• Deploy analytical and statistical analysis tools to better visualize relational data and identify meaningful anomalous behaviour

Threat intelligence is a critical component of an effective security monitoring and response program. Threat intelligence helps qualify security threats against known suspicious activity, shares back intelligence to the organization’s security community, provides confirmation that others have seen the activity and helps identify additional attack vectors. It also incorporates risk scoring of threat actors and creates personas to understand the personality of the attacker.

RSM’s threat intelligence team will help investigate information on open and closed sources to determine if adversaries are planning to target your organization or industry, of if nefarious activity is already underway. Our team will help you with:

• Identifying external and internal threats to the organization via a structured research process
• Providing tailored threat briefings aligned to your business or industry
• Identifying previously stolen or compromised data that has subsequently been leaked to open and closed sources
• Conducting periodic or continuous due diligence sweeps for exposed information or chatter
• Investigating the potential exposure resulting from a recent cybersecurity incident
• Identifying external (or internal) threat actors that could target your networks, systems or employees
• Investigating a potential acquisition, subsidiary company or third-party vendor to understand existing cyber exposure
• Monitoring for potential cyberthreats to high-value assets such as executives or board members

Your organization’s environment can be chaotic following a breach or compromise. Fresh off the pain of managing response activities, the executive committee will ask, “When do we return to business as usual?” Often this question is directed to the security and technology teams responsible for restoring critical business systems as they work through the operational aspects of an investigation. Understanding your priority systems and maintaining clean and available backups are a necessity to help facilitate the road to recovery. Working with a team of professionals experienced with navigating the ins and outs of recovery events is critical for successful recovery.

RSM’s response and recovery teams work with organizations to securely recover their technology environment necessary to drive normal business operations after an incident occurs. Our team will help you with:

• Designing a more secure architecture with enhanced protection mechanisms to mitigate future loss
• Reimaging and rebuilding of infected components within the technology landscape
• Navigating the road to recovery and coming back to business operations as usual
• Automating lower risk response activities to expedite triaging and remediation efforts
• Developing and updating contingency and recovery plans as well as recovery scripts and playbooks
• Modernizing security architecture by leveraging modern concepts such as zero/adaptive trust and secure access service edge (SASE)
• Defining a secure architecture design that aligns with the future business direction and plans for technology usage
• Establishing effective backup and recovery strategies designed to account for advancement in adversarial techniques